Security researchers have uncovered 73 fake Visual Studio Code extensions on the Open VSX marketplace that were linked to a malware campaign known as GlassWorm v2. The extensions copied names, icons, and descriptions of legitimate tools to trick developers into installing them.

Researchers said at least six of the extensions were confirmed malicious, while others appeared harmless at first and may have been designed as sleeper packages to gain trust before receiving harmful updates later. Once installed, some extensions could download extra malware, steal sensitive data, and spread across multiple developer tools such as VS Code, Cursor, Windsurf, and VSCodium.

The attackers reportedly used these fake add-ons to collect credentials, browser data, and system information, while avoiding systems located in Russia. Security experts warn that developer environments are becoming a prime target because they often contain source code, API keys, and access to internal systems.

Developers are advised to install extensions only from trusted publishers, review permissions carefully, remove unused add-ons, and monitor for suspicious activity. Keeping development tools updated can also reduce the risk of compromise.

Source: https://thehackernews.com/2026/04/researchers-uncover-73-fake-vs-code.html